Recently, in advance of the effective date (December 18, 2023), the Director of the SEC’s Division of Corporation Finance provided additional guidance regarding the final rules relating to cybersecurity incident disclosure and cybersecurity risk management, strategy and governance. The Director noted his remarks were intended to “clear up potential misconceptions.” The comments reiterate the observations in the adopting release that the final rules are intended to improve the consistency of disclosure practices among issuers and to promote comparability of disclosures. In commenting on the requirement relating to cybersecurity incidents, the Director notes that the final requirement is “focused on the material impacts of a material cybersecurity incident.” He also noted that the final rules are narrower than the original proposal and reflect the SEC’s effort to balance the need for disclosure with the risks associated with disclosing information that might provide a road map for threat actors.
The Director also underscored the importance of the materiality standard—referring to it as a touchstone of securities laws. He noted that the SEC in the adopting release affirmed that the materiality standard companies should apply for the cybersecurity incident disclosure is the same standard articulated by the Supreme Court in cases such as TSC Industries, Inc. v. Northway, Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano, as well as in SEC rules.
The Director also pointed to the ways in which the SEC pared back the disclosure requirements relating to cybersecurity risk management, strategy, and governance in response to commenter concerns. In summarizing the requirements, he noted the final rule focuses on disclosures regarding management’s role in assessing and managing material risks from cybersecurity threats, including, as applicable, whether and which management positions or committees are responsible for cybersecurity threats, and their relevant expertise. In commenting on the board related disclosures, he characterizes these as “more high level, focused on describing the board’s oversight of risks from cybersecurity threats…” Finally, the Director noted that the final rule focuses on cybersecurity processes, recognizing that companies may take different approaches. The Director concluded his remarks by inviting companies to discuss their questions with the Staff. He also observed that the Disclosure Review Program team is preparing to address compliance with the rule, recognizing the value of creating incentives for good faith efforts to comply with the new rules and not penalizing companies for foot faults. See the full text of his comments here, https://www.sec.gov/news/speech/gerding-cybersecurity-disclosure-20231214.
The Staff also has posted a number of Compliance and Disclosure Interpretations, under Exchange Act forms, which are repeated below:
Section 104B. Item 1.05 Material Cybersecurity Incidents.
Question 104B.01
Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General declines to make such determination or does not respond before the Form 8-K otherwise would be due. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of its determination that the incident is material. Requesting a delay does not change the registrant’s filing obligation. The registrant may delay providing the Item 1.05 Form 8-K disclosure only if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing before the Form 8-K otherwise would be due. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.02
Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General makes such determination and notifies the Commission that disclosure should be delayed for a time period as provided for in Form 8-K Item 1.05(c). The registrant subsequently requests that the Attorney General determine that disclosure should be delayed for an additional time period. The Attorney General declines to make such determination or does not respond before the expiration of the current delay period. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period provided by the Attorney General. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.03
Question: A registrant experiences a material cybersecurity incident and disclosure of the incident on Form 8-K is delayed pursuant to Form 8-K Item 1.05(c) for a time period of up to 30 days, as specified by the Attorney General. Subsequently, during the pendency of the delay period, the Attorney General determines that disclosure of the incident no longer poses a substantial risk to national security or public safety. The Attorney General notifies the Commission and the registrant of this new determination. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the Attorney General’s notification to the Commission and the registrant that disclosure of the incident no longer poses a substantial risk to national security or public safety. See also “Changes in circumstances during a delay period” in Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.04
Question: Would the sole fact that a registrant consults with the Department of Justice regarding the availability of a delay under Item 1.05(c) necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a)?
Answer: No. As the Commission stated in the adopting release, the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.
Furthermore, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed. [December 14, 2023]
[View source.]
